You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.


Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.


Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.


Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.

  1. DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
  2. DVD>Install Lion
  3. Reboot, hopefully Lion install kicks in
  4. Update, update, update Lion (NOT Lion Server yet) until no more updates
  5. System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  6. Terminal>$ sudo scutil --set HostName server.domain.com
  7. App Store>Install Lion Server and run through the Setup
  8. Download install Server Admin Tools, then update, update, update until no more updates
  9. Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  10. System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  11. A few DNS set-up steps and these most important steps:


  • A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  • B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  • C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  • D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  • E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  • F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  • G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  • H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  • I. Test from web browser server.domain.com/mydevices: Lock Device to test
  • J. ??? Profit



12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.


You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.


Firewall


Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.


SSH


Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.


PermitRootLogin no

PasswordAuthentication no

ChallengeResponseAuthentication no


I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.


Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.


client$ ssh-keygen -t rsa -b 2048 -C client_name

[Securely copy ~/.ssh/id_rsa.pub from client to server.]

server$ cat id_rsa.pub > ~/.ssh/known_hosts


I also like DenyHosts, which emails detected ssh attacks to admin@domain.com. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:


$ diff denyhosts.cfg-dist denyhosts.cfg

12c12

< SECURE_LOG = /var/log/secure

---

> #SECURE_LOG = /var/log/secure

22a23

> SECURE_LOG = /var/log/secure.log

34c35

< HOSTS_DENY = /etc/hosts.deny

---

> #HOSTS_DENY = /etc/hosts.deny

40a42,44

> #

> # Mac OS X Lion Server

> HOSTS_DENY = /private/etc/hosts.deny

195c199

< LOCK_FILE = /var/lock/subsys/denyhosts

---

> #LOCK_FILE = /var/lock/subsys/denyhosts

202a207,208

> LOCK_FILE = /var/denyhosts/denyhosts.pid

> #

219c225

< ADMIN_EMAIL =

---

> ADMIN_EMAIL = admin@domain.com

286c292

< #SYSLOG_REPORT=YES

---

> SYSLOG_REPORT=YES



Network Accounts


User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:


2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092


Oh well.


Email


Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this


root: myname

admin: myname

sysadmin: myname

certadmin: myname

webmaster: myname

my_alternate: myname


Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:


cd /etc/postfix

sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options

sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf

sudo serveradmin stop mail

sudo serveradmin start mail


Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.


If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.


iCal Server


Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.


Web


The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:


$ diff httpd.conf.default httpd.conf

95c95

< #LoadModule ssl_module libexec/apache2/mod_ssl.so

---

> LoadModule ssl_module libexec/apache2/mod_ssl.so

111c111

< #LoadModule php5_module libexec/apache2/libphp5.so

---

> LoadModule php5_module libexec/apache2/libphp5.so

139,140c139,140

< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so

< #LoadModule encoding_module libexec/apache2/mod_encoding.so

---

> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so

> LoadModule encoding_module libexec/apache2/mod_encoding.so

146c146

< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so

---

> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so

177c177

< ServerAdmin you@example.com

---

> ServerAdmin admin@domain.com

186c186

< #ServerName www.example.com:80

---

> ServerName domain.com:443

677a678,680

> # Server-specific configuration

> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart

> Include /etc/apache2/mydomain/*.conf


I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.


Alias /eyetv /Users/uname/Sites/EyeTV

<Directory "/Users/uname/Sites/EyeTV">

AuthType Digest

AuthName "EyeTV"

AuthUserFile /Users/uname/.htdigest

AuthGroupFile /dev/null

Require user uname

Options Indexes MultiViews

AllowOverride All

Order allow,deny

Allow from all

</Directory>

Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"

<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">

AuthType Digest

AuthName "EyeTV"

AuthUserFile /Users/uname/.htdigest

AuthGroupFile /dev/null

Require user uname

Options Indexes MultiViews

AllowOverride All

Order allow,deny

Allow from all

</Directory>


I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".


Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.


One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.


Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:


User-agent: *

Disallow: /


Misc


VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

Mac mini, Mac OS X (10.7.2), Lion Server, 8 GB

Posted on Dec 12, 2011 1:32 PM

Reply
14 replies

Dec 13, 2011 1:11 PM in response to realzcubed

Hi S.T. Smith,


Great write up! Do you have any Mac clients bound to the Lion Server? I have not been able to bind either Lion or Snow Leopard clients to my server. If so, where in your steps would you configuring Open Directory & DHCP? Is there anything special that needs to be done with Open Directory?




Thanks,



John

Dec 13, 2011 1:50 PM in response to JFWX5

Yes, I have bound a SL client to the server -- I just followed the GUI and it worked.


The magic, undocumented step above that creates an OD Master with absolutely no user configuration other than diradmin's password is:


D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]


After that, Server Admin>OD can be used for configuration. And I run behind a router so I don't enable DHCP, though you can configure it and turn this on using Server Admin or, presumably, serveradmin from the command line.


If you have a dynamic IP, I should also mention the great program ddclient, which automatically checks your IP every 10 minutes and updates the DNS registration tables if it changes. This is App Store>Download Xcode, install, then install Macports, then "sudo port selfupdate ; sudo port install ddclient ; sudo port load ddclient". A working config file /opt/local/etc/ddclient/ddclient.conf has entries that look like:


daemon=600 # check every 10 min


mail=sysadmin # mail all msgs to root

mail-failure=sysadmin # mail failed update msgs to root


protocol=dyndns2

use=web

login=my-username

password=my-password

domain.dyndns-ip.com


protocol=namecheap, \

server=dynamicdns.park-your-domain.com, \

login=domain.com, \

password=XXXXXXX-hash-from-dns-registrar-XXXXXXXXXX \

@


protocol=namecheap, \

server=dynamicdns.park-your-domain.com, \

login=domain.com, \

password=XXXXXXX-hash-from-dns-registrar-XXXXXXXXXX \

server


protocol=namecheap, \

server=dynamicdns.park-your-domain.com, \

login=domain.com, \

password=XXXXXXX-hash-from-dns-registrar-XXXXXXXXXX \

www

Dec 14, 2011 7:24 PM in response to realzcubed

Hello Again,



I'm a little confused with step "6. Terminal>$ sudo scutil --set HostName server.domain.com". I'm trying to name my server "serverm1.mydomainname.com I've run the following scutil commands:


sudo scutil --get ComputerName = serverm1


sudo scutil --get LocalHostName = serverm1


sudo scutil --get HostName = HostName: not set



On my last install of Lion server, it seemed that it was always reverting to serverm1s-mac-mini and I just want to make sure everthing is correct prior to installing the server app.


Thanks,


John

Dec 19, 2011 4:57 AM in response to JFWX5

The command "scutil --set HostName server.domain.com" and a reboot should be all that's necessary to correctly set the computer hostname. If not working (and in general), try these:


0. Fix disk permissions

1. Shut down+boot

2. Reset PRAM (who knows what the hardware remembers?!)

3. SCM reset

4. If installing over a previous server build, did you erase the disk, or merely repartition? …

Jan 21, 2012 4:44 PM in response to realzcubed

Thanks for the time and effort you've put in to produce this guide. It's been very helpful. One thing I would say is that if you wish to change your hostname after installing Server.app it is possible using the following steps.


1) Open Server and go to Hardware -> Network. Click 'Edit' under Host Name and follow the change assistant to select a new hostname.


To generate new certificates for the new hostname you will need to rebuild the Open Directory Master and the most reliable way I've found of doing this is as follows (however before doing the following you should export all users from Workgroup Manager, click on a user and choose 'export' from the file menu and save as a .xml, as they will be deleted when you perform the next step. Repeat for any groups and machines you have):


2) Open Server Admin and go to Open Directory -> Settings -> General. Click 'Change' under Role and follow the change assistant to set up a standalone directory.


Right now to rebuild your Open Directory server with the updated domain name and to new certificates


3) Open Server and go to Hardware -> Settings. Click 'Edit' under SSL Certificates and select None.


4) Open Terminal and change directory to '/usr/share/devicemgr/backend'. Now type run the command 'sudo ./wipDB.sh'.


5) Quit and restart Server and got to Profile Manager and switch it on. The assistant will help you set it up a new Open Directory Master and create new certificates with your new domain name.


6) Finally import or recreate your users either using Server or via the backups you created at step 1) by importing them into Workgroup Manager along with any user specific and machines specific rules.


Hopefully this avoids a few people having to wipe / revert their Server installs.

Jan 22, 2012 5:16 AM in response to realzcubed

S.T.Smith wrote:


Network Accounts


User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:


2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':

User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092


Oh well.



There is a simple fix for this, open Directory Utility (/System/Library/CoreServices) and modify the AltSecurityIdentities property for those users that are showing the misconfiguration error. It seems like using Workgroup Manager to create users still has a few bugs.

Jan 28, 2012 5:34 AM in response to tagme10k

Thanks for the SSL instructions and Kerberos fix!


Here are a few more useful items on Lion Server working with iOS:


Encrypted and Signed Email


OS X support of SMIME signed and encrypted emails works well once you discover the (undocumented) method of creating your own PKI certificate with Keychain Access.


  1. Quit Mail.app
  2. Open Keychain Acess and make sure you don't have any old certificates in your keychain with your email address. Look in "My Certificates" and use the search bar in the upper RHS. Delete any old SMIME certs that use your email address as these will prevent OS X's secure email functions from working without any error messages.
  3. Create your certificate using Keychain Access>Certificate Assistant>Create A Certificate… with these non-default details. See this Apple Discussions comment "OSX Mail - Encryption Won't Work" for the correct way to create a cert that will work with OS X Mail.
    • Self-signed root, check override defaults
    • Key Usage Extension: Check ALL boxes, not just the default "Signature" box. Certainly overkill, but it works. Perhaps someone can post the minimally necessary setting for this cert to work with OS X Mail encryption and signing.
    • Find your new certificate in Keychain Access, open it, and trust it. I trusted it for everything, but I believe that just S/MIME and X.509 settings are adequate.
  4. Relaunch Mail.app. You'll get a little encryption and signing toggle in the upper RHS of every email composition window. Once you send yourself or anyone else a signed email message, this will also work in iOS 5 devices. See this Ars article for details and screenshots. YOUR CONTACTS MUST TRUST YOUR CERT WITHIN THEIR OWN KEYCHAIN TO BE ABLE TO VERIFY AND ENCRYPT MESSAGES TO YOU.


If someone knows an easy/convenient way to upgrade these certs after they expire after one year (and they've been shared with others in your contact list), please post.



AirPrint


iOS AirPrint works great with older printers that do not support AirPrint using AirPrint Activator. To install a working version on Lion Server:


  1. Copy AirPrint Activator to the Applications folder
  2. System Preferences>Print and Scan>+ to add your printer, which may be connected over WiFi LAN.
  3. Reboot.
  4. Server Admin>Firewall>Add service "AirPrint Activator" with open ports 19631-19639 and TCP AND UDP. Restart firewall.
  5. Reboot. And add AirPrint Activator to your account's Login Items so it launches automatically.


You should now be able to print from your iOS devices through Lion Server to your printer.

Jan 28, 2012 6:07 AM in response to realzcubed

Fax


Faxing is quite a stupid (ok antiquated) technology -- digitize paper, send the bits, print them on more paper and forget them -- but sometimes you need to send one, especially if you're interacting with the health care industry. Following this discussion, you can get a working ~$12 faxer on your server. I've confirmed that this USB Modem works with a Mac Mini. I'd also highly recommend a RJ12 surge protector to isolate your box from the phone lines -- I personally had a lightning strike fry the modem on an older box. After you attach the usb modem, go to System Preferences>Print & Scan and add your usb modem as a faxing device. OS X will now offer the option of faxing whenever you print something.


This can also be done from the command line, ,allowing scripting, with the built-in /usr/bin/fax command. First, save your document as a PostScript .ps file. Then:


$ sudo fax FROM='"123-456-7890"' NAME='"My Name"' make file.ps

$ sudo fax FROM='"123-456-7890"' NAME='"My Name"' send "*70-1-098-765-4321" file.ps.001


Though faxing works fine with OS X print commends, this second command failed to send anything over my phone line. If anyone knows of a command line faxing fix, please post:


efax v 0.9a-001114 Copyright 1999 Ed Casas. Compiled Jun 13 2011 16:41:35

efax: Sat Jan 28 09:03:30 2012 Warning: local ID (123-456-7890) has non-standard characters

efax: 03:30 opened /dev/cu.usbmodem24680241

efax: 03:31 initializing modem

efax: 03:32 using CX93001-EIS_V0.2002-V92 in class 1

Feb 8, 2012 7:47 AM in response to realzcubed

Privacy Enhancing Filtering Proxy and SSH Tunnel


Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.


If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:


$ ./ssht 8080:user@domain.com:3128

$ ./ssht 8080:alice@:

$ ./ssht 8080:

$ ./ssht 8018::8123

$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]


$ vi ./ssht

#!/bin/sh

# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]


USERNAME_DEFAULT=username

HOSTNAME_DEFAULT=domain.com

SSHPORT_DEFAULT=22


# SSH port forwarding specs, e.g. 8080:localhost:3128

LOCALHOSTPORT_DEFAULT=8080 # Default is http proxy 8080

REMOTEHOST_DEFAULT=localhost # Default is localhost

REMOTEPORT_DEFAULT=3128 # Default is Squid port


# Parse ssh port and tunnel details if specified

SSHPORT=$SSHPORT_DEFAULT

TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT

while [ "$1" != "" ]

do

case $1

in

-p) shift; # -p option

SSHPORT=$1;

shift;;

*) TUNNEL_DETAILS=$1; # 1st argument option

shift;;

esac

done


# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port

shopt -s extglob # needed for +(pattern) syntax; man sh

LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT

USERNAME=$USERNAME_DEFAULT

HOSTNAME=$HOSTNAME_DEFAULT

REMOTEHOST=$REMOTEHOST_DEFAULT

REMOTEPORT=$REMOTEPORT_DEFAULT


# LOCALHOSTPORT

CDR=${TUNNEL_DETAILS#+([0-9]):} # delete shortest leading +([0-9]):

CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS

CAR=${CAR%:} # delete :

if [ "$CAR" != "" ] # leading or trailing port specified

then

LOCALHOSTPORT=$CAR

fi

TUNNEL_DETAILS=$CDR


# REMOTEPORT

CDR=${TUNNEL_DETAILS%:+([0-9])} # delete shortest trailing :+([0-9])

CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS

CAR=${CAR#:} # delete :

if [ "$CAR" != "" ] # leading or trailing port specified

then

REMOTEPORT=$CAR

fi

TUNNEL_DETAILS=$CDR


# REMOTEHOST

CDR=${TUNNEL_DETAILS%:*} # delete shortest trailing :*

CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS

CAR=${CAR#:} # delete :

if [ "$CAR" != "" ] # leading or trailing port specified

then

REMOTEHOST=$CAR

fi

TUNNEL_DETAILS=$CDR


# USERNAME

CDR=${TUNNEL_DETAILS#*@} # delete shortest leading +([0-9]):

CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS

CAR=${CAR%@} # delete @

if [ "$CAR" != "" ] # leading or trailing port specified

then

USERNAME=$CAR

fi

TUNNEL_DETAILS=$CDR


# HOSTNAME

HOSTNAME=$TUNNEL_DETAILS

if [ "$HOSTNAME" == "" ] # no hostname given

then

HOSTNAME=$HOSTNAME_DEFAULT

fi


ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \

&& echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \

|| echo "SSH tunnel FAIL."

Mar 28, 2012 12:52 PM in response to realzcubed

S.T Smith - I can't tell you enough how thankful I am to have found this extensive post. People who write "tech manuals", "Admin Guides" and "User Guides" should sit up and take notice. SImple terms - strait and to the point. No head scratching after reading... This should set an assistance standard/example for anyone and everyone who posts help on these and other forums. My guess is that you'll be receiving heaps of accolades here as you should. It's folks like you and "Burton11234" (and I'm sure many others) who make this such a critical and invaluable resource. Great work and thanks again for taking the time. I'm following your steps here and will post back when I'm up and running.

Apr 23, 2012 9:52 PM in response to realzcubed

Thank you so much! After much frustration and time spent flicking around reading expensive books and then to stumble upon this thread has been an absolute freakin blessing.


I urge anyone that has already began to setup their servers and are having issues and have wasted huge amounts of time (I had massive OD headaches every rebuild (was a TM backup issue corruption in the end)) to just bite the bullet, suck it up, format and re-install (In my case it was 9 times reinstalling from the online osx lion recovery - |CRAP| believe you me, 7hrs to re-install an OS is just |BS|. Now all that is behind me and I have churned out many osx server builds since and am quite happy with that now 'it just works' thanks to the ordered approach and very helpful guidance to getting the services up and running VERY smoothly.


Talk about |PITA|!


Thank you to some of the other admissions, they have helped imensely as well!

How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.